Lots of big tech companies (including mine) let their devs run VSCode on company machines. If there was a concern about spyware, I feel like all of those security teams across the industry wouldn't have signed off on this, especially with billions of dollars of IP at stake.
I think there's a bit of a difference between a bug that went undiscovered for years and vetting third-party software to see if its telemetry compromises your employees or IP.
I mean, sure, if you want to avoid log4j from happening, you can write all of your software from the ground up in-house with no third party dependencies (or audit every line of code for every third-party program you do use), but I don't see how that's relevant to a discussion about whether VSCode is compromised to a degree that other editors aren't.
The point was that people thought "Oh surely log4j was vetted by the big companies that depend on it - I mean it must be OK if AcmeCorp uses it!". (or openssl, or sendmail, or ...). That's not too different from "Oh look at all these big tech companies using it, they must have vetted the telemetry".
